Is it possible to have severals keys/certificates on a virtualhost in Apache 2?

Question

I would like to know how I can configure my Apache 2 (version 2.0.64) to use multiple key/certificate pairs for mutual authentication.

More precisely, I have configured my apache to accept SSL connections on port 443 by using this config:

<VirtualHost _default_:443>
     SSLEngine on
     SSLCertificateFile certs/mycert.crt
     SSLCertificateKeyFile certs/mykey.key
     SSLCACertificateFile certs/ca.crt
     .....
</VirtualHost>

I have 2 aliases, let say:

https://myserver/project1
https://myserver/project2

I would like to use different key/certificate pairs (than mykey.key/mycert.crt) to authenticate client that connect to my 2nd URL (https://myserver/project2).

I tried with the <Location> and <LocationMatch> directives, but SSL directives do not seem to be supported under theses ones.

How can this be done?

Answer 1

There is an extension named Service Name Indication (aka SNI) in TLS. The TLS client indicates the name of the server it is connected to; therefore the server is able to select the correct key and certificate to use.

According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls seems to support this extension and also numerous web clients

An Apache 2 configuration tutorial is available here: http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts

Answer 2

Possibles solutions to do have SNI with apache2:

• Upgrade apache2 to version 2.2.x
• Compile/Install gnutls with apache2